Published Date: 2020-07-24
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving the hack on Blackbaud and multiple organizations, including universities and charities, happened in May 2020 as mentioned in Article 105056. 2. The incident at Aberystwyth University, which was part of the global hack affecting multiple institutions, also occurred in May 2020 as reported in Article 103068. |
| System | 1. Blackbaud's data management and cloud software systems [102276, 105056, 102530, 102236, 103068] |
| Responsible Organization | 1. Hacker who targeted Blackbaud and stole personal data from various organizations [102276, 105056, 102530] 2. Blackbaud, the cloud computing provider, which suffered the data breach due to the hacker's attack [102276, 105056, 102530] 3. Cyber-criminal who hacked into Blackbaud's system and stole data [102236] |
| Impacted Organization | 1. The National Trust [102276, 105056, 102530] 2. Durham University [102276] 3. Blackbaud (data management and cloud software systems provider) [102276, 105056, 102530] 4. Universities in the UK, US, and Canada (including Aberystwyth University, University of Birmingham, University of Bristol, University of Leeds, University of London, University of York, Loughborough University, University College, Oxford, and many more) [102276, 105056, 102530, 102236, 103068] 5. Charities and non-profit organizations (such as Young Minds, Sue Ryder, Crisis, Breast Cancer Now, Action on Addiction, The Wallich, The Urology Foundation, and many more) [102276, 105056, 102530] 6. Schools, churches, museums, and food banks [102276, 102530] 7. Individuals associated with the impacted entities (students, alumni, staff, donors, supporters) [102236, 103068] |
| Software Causes | 1. The software cause of the failure incident was a ransomware attack on the cloud computing provider Blackbaud, affecting various organizations including universities, charities, and non-profit organizations [102276, 105056, 102530, 102236, 103068]. |
| Non-software Causes | 1. The failure incident was caused by a ransomware attack on the cloud computing provider Blackbaud, leading to a major data breach affecting multiple organizations [102276, 105056, 102530, 102236, 103068]. 2. Blackbaud paid the hackers an undisclosed ransom, which is not illegal but goes against the advice of law enforcement agencies [105056, 102236]. 3. The hackers targeted Blackbaud's systems in May, but the breach was not publicly disclosed until later, causing a delay in addressing the incident [102236, 103068]. 4. The breach involved the theft of personal data such as names, addresses, email addresses, telephone numbers, and other sensitive information from various organizations [102276, 105056, 102530, 102236, 103068]. 5. The breach also raised concerns about the security of financial data, passwords, and other personal details stored by Blackbaud [105056, 102530, 102236]. 6. Blackbaud's response to the breach, including the payment of ransom and assurances about data destruction, raised questions about data security practices and compliance with privacy laws such as GDPR [105056, 102530, 102236, 103068]. |
| Impacts | 1. Personal data, including names, dates of birth, addresses, and employment history, of millions of people was stolen by a hacker from various organizations, such as universities, charities, and non-profit organizations, due to a security breach involving Blackbaud's software [102276, 105056]. 2. Bank account information and passwords were feared to be stolen in the security breach at Blackbaud, affecting many UK universities, charities, and organizations worldwide [105056]. 3. Contact details of supporters, including names, addresses, email addresses, and telephone numbers, were accessed in the cyber-attack on Blackbaud, impacting organizations like Crisis, universities, and other non-profits [102530, 102236]. 4. Data from university alumni and supporter web portals and information management systems were affected by the hack, but no bank account or credit card details were taken from Aberystwyth University [103068]. |
| Preventions | 1. Implementing robust cybersecurity measures such as regular security audits, penetration testing, and ensuring encryption of sensitive data could have prevented the software failure incident [102276, 105056, 102530, 102236, 103068]. 2. Promptly addressing vulnerabilities and applying security patches to software systems could have helped prevent the data breach incident [102276, 105056, 102530, 102236, 103068]. 3. Following best practices for data protection and handling, including securely storing personal information and limiting access to sensitive data, could have mitigated the risk of a cyber-attack [102276, 105056, 102530, 102236, 103068]. 4. Avoiding the payment of ransom demands to hackers, as advised by law enforcement agencies like the FBI, NCA, and Europol, could have prevented the incident and discouraged future attacks [105056, 102236]. 5. Ensuring timely disclosure of security breaches to affected parties and regulatory authorities, as required by GDPR, could have helped in containing the impact of the incident and taking necessary actions to protect data [102530, 103068]. |
| Fixes | 1. Enhancing cybersecurity measures to prevent future hacks and data breaches, such as implementing stronger encryption protocols and multi-factor authentication [102276, 105056, 102530, 102236, 103068]. 2. Conducting thorough internal investigations to assess the extent of the data breach and identify any further actions needed to secure data [102276, 105056, 102530, 102236, 103068]. 3. Improving communication and transparency with affected organizations and individuals to provide timely updates and information about the incident [102276, 105056, 102530, 102236, 103068]. 4. Reviewing and potentially revising policies on ransom payments to hackers, considering the advice of law enforcement agencies against paying ransoms [105056, 102236]. 5. Ensuring compliance with data protection regulations, such as GDPR, to report breaches promptly and cooperate fully with regulatory authorities [102530, 103068]. | References | 1. Blackbaud - the software provider that suffered the security breach [102276, 105056, 102530, 102236, 103068] 2. The National Trust - one of the affected organizations [102276, 105056, 102530] 3. Universities - multiple universities were impacted by the cyber-attack [102276, 105056, 102530, 102236, 103068] 4. Information Commissioner's Office (ICO) - involved in investigating the incident [102276, 105056, 102530, 102236, 103068] 5. Charitable organizations - various charities were affected by the data breach [102276, 102530] 6. Individuals affected by the breach - donors, supporters, alumni, and other individuals [102236, 103068] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - Aberystwyth University confirmed that it was affected by a hack on cloud computing provider Blackbaud, where no bank account or credit card details were taken. The incident targeted a university alumni and supporter web portal and information management system [Article 103068]. (b) The software failure incident having happened again at multiple_organization: - Blackbaud, the software provider, was targeted by hackers in a security breach affecting many UK universities, charities, and organizations worldwide. The incident involved the theft of personal data, including names, addresses, email addresses, and telephone numbers. Blackbaud paid a ransom to the hackers, who claimed to have destroyed the stolen data. Many organizations, including universities like University of York, Loughborough University, University of London, and University College, Oxford, were affected by this incident [Article 103068]. - The National Trust and other organizations were also victims of a data breach involving Blackbaud, where personal data was stolen by a hacker who demanded ransom money. The breach affected data about volunteering and fundraising communities but not the wider membership database. The incident raised concerns about data security and the reliance on assurances from the hacker regarding the destruction of stolen data [Article 102276, Article 105056, Article 102530]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident occurring due to the development phases: - The incident involving the hack on Blackbaud, a cloud computing provider, resulted in a major security breach affecting numerous organizations, including universities, charities, and non-profit organizations. The breach occurred due to a cyber-criminal who hacked into Blackbaud's system, leading to the theft of personal data such as names, dates of birth, addresses, and employment history [102276]. - Blackbaud, the software provider, faced a security breach where bank account information and users' passwords were feared stolen by hackers. The firm admitted that the theft had been limited to personal data but not payment details. The incident was a result of a security breach at a service used by many UK universities and charities, indicating a failure in the development and security measures of the software [105056]. (b) The software failure incident occurring due to the operation phases: - The incident involving the hack on Blackbaud led to concerns about the operation and handling of personal information securely and responsibly by organizations. The Information Commissioner's Office in the UK emphasized that people have the right to expect secure handling of their personal information and should report any concerns about data handling. This indicates a failure in the operation and management of personal data by the affected organizations [102276]. - The incident involving the hack on Blackbaud raised questions about the company's operation and security practices. The company paid a ransom to the attackers, which goes against the advice of law enforcement agencies. This decision to pay the ransom and the delayed disclosure of the breach to the public highlighted operational failures in handling cybersecurity incidents and data breaches [105056]. |
| Boundary (Internal/External) | within_system, outside_system | (a) The software failure incident involving the hack of Blackbaud's systems and the subsequent data breach can be categorized as within_system. The incident was caused by a ransomware attack on Blackbaud's cloud computing systems, leading to the theft of personal data from various organizations, including universities, charities, and non-profit organizations [102276, 105056, 102530, 102236, 103068]. The breach originated from within Blackbaud's systems, highlighting a vulnerability in their software and security measures. (b) Additionally, the incident can also be categorized as outside_system as the attack was carried out by external hackers who targeted Blackbaud's systems. The hackers exploited a vulnerability in Blackbaud's software, leading to the unauthorized access and theft of sensitive data from multiple organizations [102276, 105056, 102530, 102236, 103068]. The external nature of the attack emphasizes the role of external factors in causing the software failure incident. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident involving the hack on Blackbaud, a cloud computing provider, resulted in a major data breach affecting numerous organizations, including universities, charities, and non-profit organizations [102276]. - The hack targeted Blackbaud's systems, leading to the theft of personal data such as names, addresses, dates of birth, and employment history of millions of individuals [102276]. - The cyber-criminal who hacked into Blackbaud's systems claimed to have destroyed the stolen data after a ransom was paid [102276]. - Blackbaud confirmed that the cyber-criminal accessed unencrypted fields intended for sensitive information like bank account details, social security numbers, usernames, and passwords [105056]. - Blackbaud paid a ransom to the cyber-criminal, leading to concerns about the security of the stolen data and the potential misuse of the information [105056]. - The incident involved a ransomware attack on Blackbaud's systems, resulting in the removal of a subset of data by the cyber-criminal [103068]. - Blackbaud acknowledged that the cyber-criminal accessed some unencrypted fields containing sensitive information, although credit card details, bank account information, and social security numbers were not compromised [103068]. (b) The software failure incident occurring due to human actions: - Blackbaud faced criticism for not disclosing the hacking incident externally until July and for paying an undisclosed ransom to the hackers [103068]. - The decision by Blackbaud to pay the ransom was against the advice of law enforcement agencies like the FBI, NCA, and Europol [103068]. - The delayed disclosure of the hack by Blackbaud raised concerns about the handling of the incident and the potential risks to the affected organizations and individuals [103068]. - The incident highlighted the importance of data security and the need for organizations to promptly report significant breaches to data authorities to comply with regulations like GDPR [103068]. |
| Dimension (Hardware/Software) | software | (a) The articles do not provide information about the software failure incident occurring due to hardware-related factors. (b) The software failure incident reported in the articles is due to contributing factors that originate in software. The incident involved a hack on the cloud computing provider Blackbaud, resulting in a major data breach affecting numerous organizations, including universities, charities, and non-profit organizations [102276, 105056, 102530, 102236, 103068]. The hackers targeted Blackbaud's systems, leading to the theft of personal data such as names, addresses, email addresses, telephone numbers, and donation histories. The breach involved a ransomware attack in May, with Blackbaud paying the hackers a ransom. The stolen data included a subset of information from Blackbaud's self-hosted environment, and the cybercriminals claimed to have destroyed the data. However, concerns were raised about the potential misuse of the stolen data, even though Blackbaud stated that sensitive information like credit card details was not accessed. The incident highlighted the importance of data security and the risks associated with cyber attacks on software systems. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident reported in the news articles is malicious. The incident involved a hacker who targeted the cloud computing provider Blackbaud, leading to a major security breach affecting numerous organizations, including universities, charities, and non-profit organizations. The hacker stole personal data such as names, dates of birth, addresses, and employment history from millions of people [102276, 105056, 102530, 102236, 103068]. The hacker demanded ransom money from Blackbaud and claimed to have destroyed the stolen data after the ransom was paid. The incident was characterized by the hacker's actions to block Blackbaud from using its own system and the subsequent removal of a subset of data [102276, 105056]. (b) The software failure incident was non-malicious. The incident involved a security breach at a service used to raise donations from millions of people, where bank account information and users' passwords were feared to be stolen by hackers. The developer Blackbaud admitted to the theft of personal data but not payment details. The incident led to concerns about the security of personal information and the potential risks associated with the stolen data [105056]. |
| Intent (Poor/Accidental Decisions) | poor_decisions, accidental_decisions | (a) The intent of the software failure incident related to poor_decisions: The software failure incident involving Blackbaud and the data breach was due to poor decisions made by the company. Blackbaud paid the hackers an undisclosed ransom after the attack and believed that the stolen data had been destroyed. This decision to pay the ransom goes against the advice of law enforcement agencies, including the FBI, NCA, and Europol, who advise against paying ransom demands in such situations [Article 105056]. (b) The intent of the software failure incident related to accidental_decisions: The software failure incident involving Blackbaud and the data breach was also influenced by accidental decisions or unintended consequences. Blackbaud initially stated that the theft was limited to personal data and not payment details, but later admitted that some unencrypted fields containing sensitive information like bank account details, social security numbers, usernames, and passwords may have been accessed by the cybercriminals. This accidental exposure of sensitive information was not intended but occurred as a consequence of the breach [Article 105056]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident occurring due to development incompetence: - The incident involving the hack of personal data from various organizations, including universities, charities, and non-profit organizations, was attributed to a cyber-criminal who targeted an American technology company's data vault [102276]. - Blackbaud, the data management and cloud software provider for the non-profit sector, suffered a data theft incident due to a hacker gaining unauthorized access to their systems [102276]. - Blackbaud faced criticism for not disclosing the hack externally until July and for paying an undisclosed ransom to the hackers, which goes against the advice of law enforcement agencies [103068]. (b) The software failure incident occurring accidentally: - Blackbaud, the software provider affected by the hack, mentioned that the cyber-criminal removed a copy of a subset of data from their environment before being locked out, indicating an accidental breach of data [103068]. - Blackbaud stated that the cyber-criminal did not access credit card information, bank account information, or social security numbers, suggesting that the breach may have been accidental in terms of the specific data accessed [102236]. |
| Duration | temporary | (a) The software failure incident in the articles appears to be temporary. The incident was a result of a ransomware attack on the cloud computing provider Blackbaud, affecting various organizations including universities, charities, and non-profit organizations. The attack occurred in May, and Blackbaud paid the hackers a ransom. The stolen data was reported to have been destroyed, and there was no evidence of it being misused [Article 102236]. The incident was discovered and stopped, and the cyber-criminal was expelled from the system [Article 102236]. The breach was reported to the Information Commissioner's Office and other relevant authorities for investigation [Article 103068]. Additionally, Blackbaud mentioned that the majority of their customers were not part of the incident, indicating that the failure was not permanent but rather a specific incident affecting a subset of clients [Article 103068]. |
| Behaviour | crash, value, other | (a) crash: - The incident involving Blackbaud and the data breach at various organizations, including universities and charities, can be categorized as a crash behavior. The system lost control over the personal data stored within it, leading to unauthorized access and theft of information [102276, 105056, 102530, 102236, 103068]. (b) omission: - The software failure incident did not specifically mention an omission behavior where the system omitted to perform its intended functions at an instance(s). (c) timing: - The incident does not align with a timing behavior where the system performed its intended functions correctly but too late or too early. (d) value: - The software failure incident can be categorized under a value behavior as the system failed to protect personal data, resulting in unauthorized access to names, addresses, email addresses, telephone numbers, and other sensitive information [102276, 105056, 102530, 102236, 103068]. (e) byzantine: - The incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. (f) other: - The software failure incident can also be described as a security breach due to a hack, leading to the theft of personal data from various organizations, including universities, charities, and non-profit organizations [102276, 105056, 102530, 102236, 103068]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving Blackbaud resulted in the theft of personal data from various organizations, including universities, charities, and non-profit organizations. The stolen data included personal information such as names, dates of birth, addresses, employment history, and donation history. No credit card or financial information was taken, but the breach did involve sensitive personal data [102276, 105056, 102530, 102236]. The breach led to concerns about the security of data, especially since the hacker had access to information about donors, their donation history, and other personal details. While the hacker claimed to have destroyed the stolen data after a ransom was paid, there were worries about the potential misuse of the information by fraudsters [102530, 102236]. |
| Domain | information | (a) The failed system was intended to support the information industry, specifically affecting organizations such as universities, charities, museums, schools, churches, and food banks that handle personal data and fundraising activities [102276, 105056, 102530, 102236, 103068]. (b) The transportation industry was not directly mentioned in the articles. (c) The failed system did not directly impact the natural resources industry. (d) The failed system was not directly related to the sales industry. (e) The failed system was not directly related to the construction industry. (f) The failed system was not directly related to the manufacturing industry. (g) The failed system was not directly related to the utilities industry. (h) The failed system was not directly related to the finance industry. (i) The failed system was not directly related to the knowledge industry. (j) The failed system was not directly related to the health industry. (k) The failed system was not directly related to the entertainment industry. (l) The failed system was not directly related to the government industry. (m) The failed system was not directly related to any other specific industry mentioned in the articles. |
Article ID: 102276
Article ID: 105056
Article ID: 102530
Article ID: 102236
Article ID: 103068